On 19/08/2019 16:34, Giles Coochey wrote:
On 19/08/2019 15:57, Richard Perlman wrote:
Got it. Makes sense. While my APs are in “bridge” mode, I do have
switches deployed in several locations, notably between the Mac I am
running Wireshark on and the rest of the network. I am not exactly
sure how, or with the equipment I have - if, I can set up a span
session. All the information on doing that seems to assume Cisco
gear. My network is fairly simple and consists of Wi-Fi access points
(mostly aging Apple Airports), Ethernet switches and a gateway router
provided by my ISP (Free.fr <http://free.fr/> in France).
In any case, I at least know why I don’t see the traffic.
There are other ways of doing that - but it will involve some extra
equipment:
1. A Small SoC computer can be set up as a router, potentially capable
of running tcpdump to take the packet captures.
2. A physical TAP on a port can make a copy of the traffic and you can
connect your kit running Wireshark to that.
3. Even a second hand Cisco switch can be purchased on eBay pretty
cheaply.
The SoC computer might be the cheapest option, I'm thinking Raspberry
Pi - this has wifi and a gigabit port, so could temporarily replace
your AP, and the Debian Based Raspbian software can run wireshark, or
you can run tcpdump and then export the pcap to view in wireshark.
Second cheapest, although probably close in price would be a used
Cisco switch, anything in the Catalyst range would have the span
session capability:
https://www.ebay.co.uk/itm/CISCO-CATALYST-3560-SERIES-PoE-24-WS-C3560-24PS-24-PORT-PoE-SWITCH-FREE-DEL/272243680614?epid=1017614211&hash=item3f62fce566:g:~2cAAOSwMwxbVg8k
- this is probably technically easier than the SoC option, but does
require some Cisco know-how.
The TAP option is probably the most expensive for an industrial tap
device, but it requires no technical know-how, just connecting the AP
or your gateway in line and connecting your Wireshark device to the
other port, there are only a few (perhaps three) permutations where
you can go wrong, and you'll know if you've connected it up wrong
(nothing works, and/or you see no packets).
Forgot to mention, outside Cisco the feature is called "port mirroring",
and even some low-end TP-Link devices support this:
https://www.amazon.co.uk/TP-Link-TL-SG105E-Desktop-Easy-Smart-Ethernet/dp/B00N0OHEMA/ref=asc_df_B00N0OHEMA/?tag=googshopuk-21&linkCode=df0&hvadid=310754948045&hvpos=1o2&hvnetw=g&hvrand=13136108276810328918&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=1006978&hvtargid=pla-343408315892&psc=1&th=1&psc=1
--
Giles Coochey
___________________________________________________________________________
Sent via: Wireshark-users mailing list<wireshark-users@wireshark.org>
Archives:https://www.wireshark.org/lists/wireshark-users
Unsubscribe:https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
--
Giles Coochey
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe